# Malware-Analysis-Reports/MountLocker at master · Finch4/Malware-Analysis-Reports · GitHub **[github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker](https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker)** Finch4 ## Analysis of MountLocker MountLocker is a Ransomware which appeared first on July 2020, in the sample there are references to a Public RSA Key and ChaCha20. Lately seems an update added also a worm feature. **Please note, I'm still learning, the analysis is incomplete (and some parts** **may be wrong), if you want to read a full analysis read** **[here](https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/)** ## Sample MalwareBazaar: https://bazaar.abuse.ch/sample/4a5ac3c6f8383cc33c795804ba5f7f5553c029b bb4a6d28f1e4d8fb5107902c1/ ## Starting from the start ----- Here is simply passing the the command-line string for the current process to the function I renamed, `mw_main Inside` `mw_main we find two other calls to` ``` mw_check_parameters and mw_core ## Diving into mw_check_parameters ``` ----- The function starts parsing the arguments, the result is then allocated to the variable `command_line_args, if retrieving the arguments is successful the` sample will continue otherwise as you can imagine it will return and the if at ``` mw_main will never be True and the sample will exit. ``` When entering the if the most interesting functions seems the one which receive as arguments: command_line_args, pNumArgs, {CUSTOM_STRING}, I renamed this function `mw_check_if_contains` ``` mw_check_if_contains ``` starting from the first two calls to this functions we can see the strings ``` "/LOGIN=" and "/PASSWORD=" stored inside what seems an array, later you ``` will se that these arguments are used as part of the worm feature, `"/LOGIN="` will contains the `lpUserName and as you can image` `"/PASSWORD=" will` contains `lpPassword the others are more features/options of MountLocker,` here a list: ``` commands = [ "/LOGIN=", "/PASSWORD=", "/CONSOLE", "/NODEL", "/NOKILL", "/NOLOG", "/SHAREALL", "/NETWORK", "/PARAMS=", "/TARGET=", "/FAST=", "/MIN=", "/MAX=", "/FULLPD", "/MARKER=", "/NOLOCK=" ] ``` ----- ## Diving into mw_core **The first two calls are for COM objects, since still I'm learning I didn't** **really understood how you use them, so for the moment I will ignore the** **calls related to it.** The first call is easy understandable, is retrieving the admin status of the current user, InitializeCriticalSection acts as Mutex for threads. ``` dword_1400137EC is assigned in mw_check_parameters and its value is 0, ``` so a !0 will return True, now we have two calls to `lstrcpyW,` ``` &ExistingFileName is assigned in mw_check_parameters mw_check_parameters ``` Here is checking if the file for the logs has been created, if yes set ``` isLogFeatureEnabled to True, same if the command "/CONSOLE" is ``` passed ----- inside `mw_console_log` `isLogFeatureEnabled is checked if is True, if yes,` call another function which will check if to write to file or console, or both ``` mw_console_log sub_140007454 mw_collect_sys_informations ``` Now the function `mw_init_crypto will be called, I renamed this function like` that, because seems importing the RSA Key ----- Here is the RSA Key: ``` 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 89 9C 9E 71 D9 2B E9 50 B1 75 DA 27 07 AA 43 6D FD D7 EA 21 29 7E 8F 07 03 A7 77 57 E4 7F F2 3D 8F 7C CE 25 51 A9 06 37 79 34 54 C2 D3 6A 18 65 7F 60 21 13 D0 81 A1 46 AE D3 33 44 17 21 98 BC 09 62 06 F5 5D 49 D9 37 7D 1E 06 9B 99 48 2B 7C 75 0B DA DB C4 B6 E3 63 10 E0 FB C6 FF C8 61 B5 B1 CC D9 F4 8E B9 B7 EE D3 1C EA 1C 6B E7 99 95 07 34 F5 C0 FC C3 F0 CB 1A 37 86 F8 D6 61 4D 37 73 BA 9C A7 1A 9D DF 87 B6 B3 76 CD 85 8E A5 DD E8 E4 BB 42 FB 46 1E D6 E6 9E 89 52 5D F8 B2 06 B9 6F 05 1D 5C 5A C4 D9 C3 89 05 98 AD 95 7E FB 46 38 C0 F3 C3 3B 8D 8A 52 DB BD 42 C9 0C E4 87 E9 8D 42 B0 C0 48 7A 7E 62 27 AE 87 C8 00 44 89 E8 78 41 AC 79 EB DC 42 D1 97 9D 75 9E 0D EE 43 33 05 61 F3 5D 65 5C 42 95 69 E8 E5 34 3B 99 30 B7 CB E6 8F 85 F5 BB E8 33 A7 05 5A B6 A0 BE F1 A0 D8 38 F6 38 37 39 35 33 38 65 32 30 62 38 32 65 38 30 30 35 32 64 64 35 66 37 65 66 39 61 64 35 30 37 37 ``` The `CryptEncrypt call seems encrypting the buffer` `&Src with RSA, curios` is the fact that `&Src is used in another function which I renamed` ``` mw_wrap_chacha because is a wrapper to a function which uses ChaCha ``` [an help to recognize the ChaCha function is given to CAPA a fantastic tool](https://github.com/fireeye/capa) [developed by the FireEye Team](https://www.fireeye.com/) ----- and also if you look carefully to the strings next we can see some instructions that have something to do with the command `"/NETWORK" if you pass this argument and the executable isn't` started as administrator, the function will return if the `"/NETWORK" command isn't passed, we proceed` here we check if the command `"/NOKILL" has been passed, if yes we` proceed to calling `mw_killservices and` `mw_kill_processes, from the` names you can easily understand what it's doing, these are two lists of which services and processes will terminate If the service name contains those strings close the service ----- ``` services_to_close [ "SQL", "database", "msexchange", ] ``` These are the processes ----- ``` processes_to_kill [ "msftesql.exe", "sqlagent.exe", "sqlbrowser.exe", "sqlwriter.exe", "oracle.exe", "ocssd.exe", "dbsnmp.exe", "synctime.exe", "agntsvc.exe", "isqlplussvc.exe", "xfssvccon.exe", "sqlservr.exe", "mydesktopservice.exe", "ocautoupds.exe", "encsvc.exe", "firefoxconfig.exe", "tbirdconfig.exe", "mydesktopqos.exe", "ocomm.exe", "mysqld.exe", "mysqld-nt.exe", "mysqld-opt.exe", "dbeng50.exe", "sqbcoreservice.exe", "excel.exe", "infopath.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "sqlservr.exe", "thebat.exe", "steam.exe", "thebat64.exe", "thunderbird.exe", "visio.exe", "winword.exe", "wordpad.exe", "QBW32.exe", "QBW64.exe", "ipython.exe", "wpython.exe", "python.exe", "dumpcap.exe", "procmon.exe", "procmon64.exe", "procexp.exe", "procexp64.exe" ] ``` after killing the processes and the services, the sample checks for the command "/TARGET=" ----- seems to be a command to target specific files, specific drive, specific server meanwhile this is the default lock ----- ## Overview of the worm feature Seems the worm feature is divided in two categories: Enum PC into domain Enum PC into network Both share the need of ``` "/LOGIN=" and "/PASSWORD=" ``` After getting access to the computer it will drop the same executable passing the command `"/NOLOG", you can see also other if statements checking if the` ``` servername contains certain strings ``` ----- After a service called `"Update{GetTickCount()}" will be created` with `lpBinaryPathName equal to the path where the sample has been` dropped also it seems to create a process with WMI [ROOT\CIMV2](https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-and-wmi#constructing-the-uri-prefix-for-wmi-classes) ----- [Create - Win32](https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process) The function `mw_create_worm_service will return` `GetLastError()` if the return value != 1326 `ERROR_LOGON_FAILURE` `"The user name or` `password is incorrect."` https://docs.microsoft.com/enus/windows/win32/debug/system-error-codes--1300-1699 it will switch the return value and then write it in the logs Same for creating a process with the WMI ----- ## Conclusion I spent some time for this analysis, I hope it is correct and useful, please if you notice some errors in the analysis let me know, I want to improve myself. Seen this is my best analysis right now I would like to add some informations about myself; I'm Italian and I'm 17 years old, I would like to get a job as Malware Analyst when I will turn 18, for more information this is my secondary email: **[blacXkdog1X7of@XgmaiXl.com (remove all "X")](http://10.10.0.46/mailto:blacXkdog1X7of@XgmaiXl.com)** Thank you for reading my analysis! ## Feedbacks Thanks to: [https://twitter.com/cPeterr [https://chuongdong.com/]](https://twitter.com/cPeterr) ## Useful resources -----